Skip to main content
Version: 3.25

Denylist and Allowlist

The Applications, Automations, Uninstaller, Control panel and DLLs sub-module records can be separated by denylist and allowlist lists. They also allow segregation using global levels, workstations, credentials, and access groups.

Maybe the administrator would not like to allow applications like Microsoft Powershell or Windows Command Line (CMD) to be used by users. He can then create a global denylist rule. But sometimes, he may want only a few users to have access to these applications to make an access rule based on access groups.

Create rule

The registered rules can be accessed in the menu GO Endpoint Manager ➔ Settings ➔ Access lists. To write a configuration, follow the steps:

  1. Access the reporting action at the desired segregation level:

    TypeDescription
    New global segregationNew global segregation valid for all users;
    New workstation segregationNew workstation-based segregation;
    New segregation for credentialNew global segregation based on credential. It will apply to all users with access to the credential;
    New segregation for groupsNew global segregation based on credential access group. It will apply to all users who use a credential through the specific access group;
  2. You will be presented with a screen to select the segregation entity, as follows:

    TypeDescription
    NameName of the segregation. Use a name that makes clear the purpose of this configuration;
    ActionChoose between the Allowlist and Denylist options;
    StatusKeep Active for the rule to be applied;
    Record the session of these applicationsIndicates if a video recording all the application's execution event should be recorded and forwarded to senhasegura;
    Applications:Are the applications that should be filtered. It is possible to apply filters by different characteristics of the application:
    CertificateIf the certificate the application has is valid, if it is valid it will be checked against the rule (whether it is allowed or denied), and if there is no certificate it will not be checked;
    COM class IDIt is information that all applications have, it is in GUID format;
    DirectoryThis is the application path, to be checked against the rule, the registered path must be completely the same as the file;
    File hashThis is a unique piece of information that each file has, a new hash is generated for every change made to the file;
    File version:This is the file version;
    Internet Zone IdentifierThis information refers to the origin of the file, when it is downloaded from the internet, it will be as Internet Zone, usually all files that were downloaded are classified like this, whereas the executables that are installed, by example, it has this information as Local Zone;
    Product NameThis is the name of the program, it evaluates to both the file name and the program name;
    Product VersionThis is the product version;
    source URLcontains information you have in video files;
    Update CodeThis information is also a GUID of each program, and can be found in the Windows registry;
    Vendor nameThis is the name of the manufacturer;
    Windows store publisherThis one is boolean, and it's about applications that were downloaded from the Microsoft Store, it's validated against the file directory, which is in ProgramFiles (and x86 too), and in a folder hidden that calls WindowsApps;
Alert!

If an application is executed outside of senhasegura.go, it will be blocked if it is on the denylist. But if it is not even in the allowlist and denylist, it will be executed normally.

caution

The administrator can fill segregation rule values with regular expressions.

The rules will apply both for applications started by the client senhasegura.go and applications created outside senhasegura.go.

Users automatically start to admit these rules.

The application will add the rules. For example, if a user has an allowlist application and a denylist credential for the same application, the application will be shown as available. But if he tries to execute using the denied credential, he will be blocked and notified.

Trusted Directory

It is possible to create trusted directories that will assure that any file into the allowed path will be able to be executed even if it is untrusted. To add new trusted directories go to General Settings and set a path.